Solved

Linux Syslog Filtering Function Fails For Non /24 Subnets

Forum|Forum|6 hours ago
February 7, 2026
5 replies
5 views

pmcintire228
New Participant

This message originated from Cribl Community Slack.
Click here to view the original link.

trying to drop a bunch of netbios noise from linux syslog and while my function PROTO === "UDP" && (DST.endsWith(".255") || DPT === 137) works, it doesn't account for non /24 subnets, any advice?

Best answer by freimer749

MAC destination is always FF:FF:FF:FF:FF:FF for broadcast, regardless of IP/subnet.

P

pmcintire228
Author
New Participant
Forum|Forum|6 hours ago
February 7, 2026

message:
IN=ens192 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:aa:01:e1:08:00 SRC=10.40.198.57 DST=10.40.198.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=6807 PROTO=UDP SPT=137 DPT=137 LEN=58

Like

P

pmcintire228
Author
New Participant
Forum|Forum|6 hours ago
February 7, 2026

no subnet mask :disappointed:

Like

F

freimer749
New Participant
Answer
Forum|Forum|6 hours ago
February 7, 2026

MAC destination is always FF:FF:FF:FF:FF:FF for broadcast, regardless of IP/subnet.

Like

P

pmcintire228
Author
New Participant
Forum|Forum|6 hours ago
February 7, 2026

Ah good catch ty!

Like

P

pmcintire228
Author
New Participant
Forum|Forum|6 hours ago
February 7, 2026

PROTO == "UDP" && (MAC.startsWith("ff:ff:ff:ff:ff:ff") && DPT == "137")

Like

Sign up

Using your Cribl.Cloud account

Login to the community

Using your Cribl.Cloud account

Scanning file for viruses.

This file cannot be downloaded